Method and Apparatus for Integrating Distributed Shared Services System

ABSTRACT

Method and apparatus for integrating distributed shared services system which integrates web based applications with each other and with other centralized application to provide a single sign-on approach for authentication and authorization services for distributed web sites requiring no access time back to the authentication/authorization server is provided.

PRIORITY CLAIM UNDER 35 USC §119

This application claims priority to provisional application No.60/179,584 titled Method and Apparatus for Integrating DistributedShared Services System filed on Feb. 1, 2000 under 35 USC §119.

BACKGROUND OF THE INVENTION

1. Field of the Invention

The present invention relates to method and apparatus for integratingdistributed shared services system. In particular, the present inventionrelates to method and apparatus for integrating web based applicationswith each other and with other centralized application which provides asingle sign-on approach for authentication and authorization servicesfor distributed web sites and which requires no access time back to theauthentication/authorization server.

2. Description of the Related Art

The rising use of the world wide web (the web) for access anddistribution of information has prompted many service providers andretailers alike to adopt the internet as a principal information portalfor customers and clients. For example, traditional brick and mortarcompanies are creating and providing their web sites to interface andinteract with their customers. This approach is beneficial to bothparties alike for many reasons. Some of these reasons include the speedat which the sought information can be transferred to the intendedrecipient, the cost effective manner in which to provide informationcompared to, for example, traditional postal systems. In the case ofbanks, customers can easily log onto the bank's web site and after alogin procedure, can access their account information with little or nowait time. Moreover, depending on the speed at which the banks canupdate the account information, the customers can also retrieveup-to-date account activity information. At the other end, the banks canobtain substantial savings by providing and maintaining their web sitefor interaction with their customers as opposed to having dedicatedcustomer support personnel properly trained and made available aroundthe clock.

Recognizing the web site and the interne as a principal medium forbusinesses to interact with their clients and customers, in addition toproviding information specific to the client and customer vis a vis thebusiness, the businesses are also expanding their web sites to provideinformation and access to related businesses or links (for example, byproviding hypertext links within their web site linked to a UniformResource Locator (URL) of another related business or informationprovider).

In the case of brokerage firms and investment banks, in addition to theability to retrieve account information, the customers are likely to beinterested in information related to various financial instruments andactivities. For example, for a brokerage account holder who has a marginaccount with approval to trade in option contracts, the account holderis likely to be interested in information related to trading in optionssuch as call and put options, as well as detailed information on howoption contracts are created, bought, sold, traded, and the impact ofeach of such activity. By way of another example, a relatively newbrokerage account holder who recently opened a cash account and a 401Kaccount with the brokerage firm may be interested in obtaininginformation related to the various different types of IRA accounts,basic trading information and relative risks for the various tradingtechniques, and so on.

While some brokerage firms and investment banks may have the capabilityto provide such information, with a growing pool of account holders,many firms find it more expedient to initially outsource to outsidevendors who already have established practice of providing informationand/or service. In this manner, the firms can better attempt to meet thecustomers' demand for the rapidly increasing and varied types of relatedinformation and/or services.

One disadvantage to the outsourcing approach, however, is that in manycases, the users are required to provide login information each time theuser logs onto a third party vendor web site. For example, an accountholder with C. Schwab & Co., the assignee of the present application,may wish to enroll in an online interactive education courses that areoffered through Schwab.com web site but provided by a third partyvendor. After initially logging onto schwab.com's web site, the accountholder clicks on a hypertext link in schwab.com's web site, and theaccount holder's web browser is directed to the web site of the thirdparty vendor providing the online interactive education courses. Here,the Schwab account holder must log in once again to register or toresume the course from where it was left of during the last session.

While still within schwab.com's server domain, the account holder isnevertheless required to separately log onto the third party vendor'ssite. Such user authentication or validation is necessary each time theaccount holder clicks on a hypertext link to be redirected to anotherinformation source. Moreover, once the account holder provides thelog-in information to the third party vendor, the third party vendormust access back to the central server at schwab.com to verify theaccount holder's log-in information or to retrieve any other informationrelated to the account holder that may be relevant to the account holdervis a vis the third party vendor. For example, in the case where theaccount holder is returning to a previous online interactive educationcourse, once the account holder logs onto the third party vendor site,the server at the third party vendor accesses the central server atschwab.com to confirm that the account holder is indeed a Schwab accountholder, and furthermore, to determine where in the interactive coursethe account holder left off during the last session.

Additionally, the third party vendor may want to retrieve additionalinformation related to the account holder to better tailor the accountholder's interactive course. For example, assuming that the onlineinteractive education course provides information on options trading,the third party vendor would find it useful to have the account holder'strading history to determine whether the account holder has traded inoption contracts at all, and if so, how often and so on. This type ofinformation is especially useful to effectively design such interactiveeducation course to be suited for each account holder.

As discussed above, irrespective of the type of third party vendors andthe application or information provided, a user or an account holder isrequired to provide login information each time the user wishes toaccess the third party vendor application from a central server domainsuch as schwab.com.

SUMMARY OF THE INVENTION

In view of the foregoing, it would be desirable to have an integrateddistributed application system and method which require a single sign-onto the central server domain and permits access to other applicationswhether offered by third party vendors at a remote site or availablewithin the central server.

In accordance with one embodiment of the present invention, there isprovided a method of providing a single sign-on distributed applicationservices integration, comprising the steps of: receiving a firstindication of a user pointing a browser to a first application;receiving a cookie file of said browser corresponding to the user;updating said cookie file; receiving a second indication of said userpointing said browser to a second application; and providing saidupdated cookie file to said second application.

In accordance with another embodiment of the present invention, there isprovided a system for providing a single sign-on distributed applicationservices integration, comprising: a client terminal; and a centralserver coupled to said client terminal configured to receive from saidclient terminal a first indication of a user pointing a browser to afirst application and a cookie file of said browser corresponding to theuser; wherein said central server is further configured to update saidcookie file, and when a second indication of said user pointing saidbrowser to a second application is received from said client terminal,said central server provides said updated cookie file to said secondapplication.

In accordance with yet another embodiment of the present invention,there is provided a method of providing distributed application servicesintegration, comprising the steps of: detecting a user event; generatinga message corresponding to the detected user event; and providing saidmessage to one or more applications based on the user event.

In accordance with still yet another embodiment of the presentinvention, there is provided a system for providing distributedapplication services integration, comprising: a client terminal; and acentral server coupled to said client terminal for detecting a userevent at said client terminal; wherein said central server is furtherconfigured to generate a message corresponding to the detected userevent and to provide said message to one or more applications based onthe user event.

These and other features and advantages of the present invention will beunderstood upon consideration of the following detailed description ofthe invention and the accompanying drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 illustrates an integrated, distributed shared servicesarchitecture in accordance with one embodiment of the present invention.

FIG. 2 illustrates a cookie based architecture for providing anintegrated, distributed shared services system in accordance with oneembodiment of the present invention.

FIG. 3 illustrates a messenger based architecture for providing anintegrated, distributed shared services system in accordance with oneembodiment of the present invention.

FIG. 4 illustrates a unified architecture for providing an integrated,distributed shared services system in accordance with one embodiment ofthe present invention.

FIG. 5 illustrates a flowchart for a user authentication process inaccordance with one embodiment of the present invention.

FIG. 6 illustrates a flowchart for a user event processing of a web sitein accordance with one embodiment of the present invention.

FIG. 7 illustrates a flowchart for a user event processing of a centralserver in accordance with one embodiment of the present invention.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT

FIG. 1 illustrates an integrated, distributed shared servicesarchitecture in accordance with one embodiment of the present invention.As shown, there is provided an application layer 110, a services layer130 and an interface layer 120 which resides between the applicationlayer 110 and the services layer 130. The interface layer 120 isconfigured to receive requests for services from the various webapplications or other central server applications at the applicationlayer 110, and passes the received requests to the correspondingservices at the services layer 130 after performing the necessaryprotocol, formatting and other transformations. The interface layer 120is further configured to return any required results back to the callingapplication at the application layer 110 after performing necessaryprotocol, formatting or other transformations.

As shown in FIG. 1, the applications in the application layer 110 can beconfigured to reside on a central server's public web site or can behosted by third party providers such as Excite, DigitalThink, forexample. Other examples of applications can include moderated investorforums, personal home page, educational applications, promotions,e-mail, e-leads, and personalized content. As discussed above, theinterface layer 120 can be configured to provide the physicalconnections between the application layer 110 and the services layer130, protocol translation, monitoring, and cacheing between theapplication layer 110 and the services layer 130. As further shown inFIG. 1, the services layer 130 can include shared application such asreal time data store, data profile such as non-real time data store foranalysis, authentication process and registration processes.

In one aspect of the present invention, the applications from thecentral server's secure site can be configured to particulate in thearchitecture shown in FIG. 1. In this case, the interface layer 120 canbe configured to permit the applications to access the availableservices in the services layer 130 such as registration, authentication,and information access. Additionally, it is possible to have a givenservice to be hosted on multiple sites. For example, an authenticationservice can be hosted on multiple sites to be closer to the applicationscalling the service, as long as the data necessary to authenticate theusers can be replicated across these sites.

To permit proper communication between the applications in theapplication layer 110 and the services layer 130, in accordance with oneaspect of the present invention, an interface adapter may used tofacilitate application integration as will be discussed in furtherdetail below. In this manner, geographically dispersed andarchitecturally diverse and potentially changing set of applications canuse the integrated, distributed shared services architecture and permitchanges to them with the least amount of disruptions and effort.

In accordance with one aspect of the present invention, two key types ofdata movement are identified. The first type of data movement isconfigured for small data elements that must be made available todistributed web applications synchronously (i.e., in real time) in orderto drive, for example, user authentication and experience. Examples caninclude a common user identification and/or session keys used forauthentication or flags indicating which education courses a user iscurrently enrolled in to drive the user experience on other webapplications.

A second type of data movement includes data of varying size for whichnear real time movement is sufficient. Examples of this second type ofdata movement include information related to actions that users takewhich will drive e-mail or lead packages being generated or which willdriver user experience in subsequent sessions, and information aboutuser behavior gathered for purposes of analysis.

While the architecture shown in FIG. 1 presents a common interface layer120 to applications in the application layer 110 for services in theservices layer 130 requiring both types of data movement, in accordancewith the present invention, different approaches may be used for eachdata movement type as will be explained in further detail below. In thismanner, as requirements for data sizes and data movement timing changesover time, the applications do not have to be altered to accommodatethese changes.

FIG. 2 illustrates a cookie based architecture for providing anintegrated, distributed shared services system in accordance with oneembodiment of the present invention. As shown, in a central server's webdomain, there is provided a web application 210 which may optionallyreside at a remote vendor (third party)'s site, an application interfacelibrary 220, an optional encryption/decryption engine 230 and a cookieaccess library 240. The client terminal including client web browser 270and client browser cookies 260 are connected to the web application 210residing in central server's domain via the internet 250. As mentionedabove, the client terminal which can be in the form of a personalcomputer, a stand-alone internet access terminal and so on, is providedwith a client browser cookie layer 260 and a client web browser 270which resides at the terminal in the client side.

The web application 210 includes new or existing web application whichmay be located at the central server terminal or at a remote side, andresides in the central server's internet domain (e.g., schwab.com) inorder to share information and data with other applications in the samedomain. The application interface library 220 is a common libraryprovided to all web applications for accessing shared services. Theapplication interface library 220 is configured to expose high levelfunctions or methods to the application such as, for example, postingevents, requesting data, authenticating users. In the event that thedata for transmission contains sensitive information, theencryption/decryption engine 230 provides encryption and decryptionfunctions for the cookie files containing sensitive data. In one aspectof the invention, the encryption/decryption engine 230 may be omittedfor systems where sensitive data is not included in the cookie filesaccessed by the application. Finally, the cookie access library 240 isconfigured to provide services for reading or writing specified data tocookie files.

At the client terminal, the client browser cookie files 260 can beconfigured to be relatively small arbitrary strings of data stored by aclient's (user's) web browser that may be read and written by all webservers in a given central domain such as schwab.com. Moreover, theclient web browser 270 can be any available web browser such as InternetExplorer or Netscape Navigator.

The cookie based architecture shown in FIG. 2 is configured to sharesmall data fragments in real-time between web applications. Small datasegments can range from several hundred bytes (characters) but aretypically in the lower end of this scale. The entire data segmentcollection is generally no larger than 1 KB, but can be configured tohold a significant amount of state information. Typically, the entirecookie file would be no more than one to two hundred bytes. Thesecookies are written, read and modified by the application interfacelibrary 220 resident on each affiliated web server, whether local to thecentral server or residing in a remote partner's site using standardHTTP calls.

As shown in FIG. 2, the cookie based architecture is configured toprovide sharing of small amounts of data among web applications in areal-time, synchronous fashion such that the browser cookie files arepassed over the interne from one application to another by means ofbrowser redirects. The browser cookies are arbitrary strings of data upto 4 KB each, which may be placed on a user's system by a web server.Any web application in the same central server domain name (e.g.,schwab.com) may subsequently read the cookie when the browser isdirected to (i.e., requests) a web page, a CGI script or a java servletlocated on that server. A browser redirect is an instruction a webbrowser receives from a web server it has requested a resource (such asa web page, a CGI script, or a java servlet) from directing it toanother resource on the same or a different server. Additionally, asdiscussed above, cookie files containing sensitive data may beencrypted. In this manner, small amounts of user information can bestored and moved from one server to another for authentication processin the distributed systems, for example and encrypted and/or decryptedas necessary.

In one aspect of the present invention, a client or a user at a clientterminal points the client web browser 270 at a particular resource(page, CGI, script, etc) that is part of the web application and whichgenerates a need to make information about that event available to otherweb applications in real time. The cookie files for the server's centraldomain are then automatically passed from the client web browser 270 tothe web application 210. The web application 210 then calls anapplication interface library function from the application interfacelibrary 220 to make the needed information available. The type ofinformation to be shared and the data specific to this particular eventor instance is then passed to the function as a parameter in the form ofone or more NAME=VALUE pairs. The function calls cookie access libraryfunctions from the cookie access library 240 to read the current data inthe cookie. Moreover, if necessary, the cookie is encrypted by theencryption/decryption engine 230.

The cookie access library 240 then writes the data in the cookie fileback to the client web browser 270 via the internet 250. The clientsubsequently points the client web browser 270 to a resource that ispart of a different web application on a different site but still withinthe central server's domain that needs the information generated by theclient's activity in the previous web application. The new webapplication then calls the application interface library function fromthe application interface library 220 to request the desired informationusing the name part of the NAME=VALUE pair used to store the datainitially. The application interface library function then calls cookieaccess library functions from the cookie access library 240 to read thedata in the cookie, and if the cookie to be read is encrypted, thecookie is first decrypted by the encryption/decryption engine 230. Theapplication is now configured to perform specific action based on thevalue returned.

In accordance with one aspect of the present invention, the types ofdata that may be shared in the system shown in FIG. 2 include, forexample, a unique user identification (ID) provided by theregistration/authentication service and used by each we application touniquely identify each logged in user, and a unique identifier forvisitors who have never logged in but whose behavior can be tracked forpurposes of marketing analysis, personalization of content andpromotions, to name a few. Additionally, data flags indicating marketsegments of customers or prospective clients such as, for example,Signature Services, Schwab One, IRA, International, current prospects,currently enrolled or having completed certain interactive educationcourses, or recently posted messages to certain message boards orparticipated in certain forums.

FIG. 3 illustrates a messenger based architecture for providing anintegrated, distributed shared services system in accordance with oneembodiment of the present invention. As shown, in a central web domain,there are provided an application or data store 310, an optionalinterface adapter 320, an application interface library 330, an optionalencryption/decryption engine and a message queuing middleware 350,connected to a client side via the public internet or a local areanetwork (or optionally, to a frame relay wide area network WAN). Asfurther shown, the server terminal is provided with a message queuingmiddleware 370, an encryption/decryption engine 380 and a message broker390.

Similar to the architecture shown in FIG. 2, the application 310 of FIG.3 may be a new or an existing web application at a central server or aremote vendor (third party)'s site, or alternatively, may include othercentral server or a partner application or database such as LEADS,E-mail, MatchLogic, to name a few. The application interface library 330is similar to the application interface library 220 of FIG. 2 and is acommon library for accessing shared services. In contrast to theapplication interface library 220 of FIG. 2, however, the applicationinterface library 320 of FIG. 3 may include or call an interface adapter320 which is configured to directly access application system componentssuch as databases or memory locations.

Moreover, similar to the embodiment of FIG. 2, the encryption/decryptionengine 340 is provided to encrypt and decrypt data and may be omittedfor bypassed if the data does not contain sensitive information. Themessage queuing middleware 350 is configured to package data intomessages and assure their delivery, even over unreliable transport mediasuch as the internet. In the case where assured delivery is notrequired, the queuing portion of the operation shown in FIG. 3 may beomitted and only the message packaging function may be used. Thisapproach may be result in improved performance or reduced operationalburdens on other servers.

At the central server terminal, as shown in FIG. 3, there is providedthe message queuing middleware 370 similar in operation and function tothe message queuing middleware 350. Similarly, the encryption/decryptionengine 380 is configured to encrypt and decrypt data as with theencryption/decryption engine 340. The message broker 390 is configuredto provide message routing and transformation services, permittingcross-application logic to be centrally stored and managed at thecentral server terminal.

In the manner described above, in accordance with another aspect of thepresent invention, arbitrary volumes of data that can be sharedasynchronously in near real time can be reliably and securelytransported over the internet, which may be unsecure, using the messagequeuing middleware. Similar to the cookie based architecture discussedabove in conjunction with the embodiment shown in FIG. 2, in the messagebroker based architecture of FIG. 3, data is read from and written tothe message queues by the application interface library 330 whichresides on (or network-wise near) the web application or other thirdparty server that needs to share or access the data. Additionally, asdiscussed above, the interface adapter 320 may optionally interactdirectly with the application system components such as databases ormemory regions as needed on behalf of the application interface library330.

Moreover, the message broker based architecture shown in FIG. 3 containsa message broker component which provides message routing andtransformation services in the “hub” of the “hub and spoke” arrangement.In this manner, an event from an application 310 on a remote server in acentral domain may cause changes to multiple other applications in thecentral domain, each of which needs that event presented to it in adistinct format.

For example, when a user or a client who enrolls in an advanced optionstrading course on the interactive education application on a remotevendor's (third party to the main central server) site within thecentral server domain, as with most course enrollments, a welcome e-mailis caused to be generated from the e-mail channel to be sent to theuser. Additionally, considering the case where options trading courseenrollees have been targeted for personal follow ups via the SOMSapplication, all other we applications need to know when a person hasenrolled in the advanced options trading course so that contents such asbanners specifically designed for this type of potential investor may bedelivered to them instead of only those generic or randomly selectedcontent. Additionally, the marketing datamart may need to be informed sothat the efficacy of the targeted banners with respect to this type ofusers can be tracked.

The types of data sharing discussed above should be initiated by theoriginal web application 310 by simply posting the event via theapplication interface library 330, or alternatively, via an interfaceadapter 320 which is configured to monitor the changes to predeterminedtables or values in the internal database. The application interfacelibrary 330 formats the message and places it in a queue fortransmission over the internet even if communication is temporarilydisrupted. Additionally, the message can optionally be encrypted by theencryption/decryption engine 340 before the transmission to preserve thesecurity of the message being transmitted.

The message broker 390 at the central server receives the messagetransmitted from the web application 310 and determines, based on thecontent of the message, which other applications or data stores in thecentral server domain need to receive it. The message broker 390 furtherperforms any necessary data translation such that the message iscompatible to those applications or data stores that are to receive themessage, and thus make of the data contained in the transmitted message.Alternatively, the message broker 390 may directly communicate withlocal applications or data stores residing in the central serverterminal, or may encrypt and queue messages as needed to transmit themessages to remote locations over a public data network such as theinternet.

Accordingly, in accordance with one embodiment of the present invention,when a user event of interest occurs on a web or other application 310,the application 310 calls a function in the application interfacelibrary 330 to notify the “system” of the occurrence of the event. Theapplication 310 then passes one or more NAME=VALUE pairs as parametersto indicate the type of event that has occurred and the relevant datarelated to the event. Alternatively, the interface adapter 320 directlydetects the occurrence of the event by monitoring the internal database(which can be a system file or a memory location) of the application 310and calls the application interface library 330 for the appropriatefunction. The application interface library 330 then calls the messagequeuing middleware 350 to package the data for transmission to themessage broker 390. If necessary, the message is first encrypted by theencryption/decryption engine 340. In the case where assured delivery isnot necessary, the queuing portion of the message queuing middleware 350may be disabled for the message; otherwise the message is queued up fordelivery as soon as the communication path is open or available. If thetransport medium is reliable, local and secure, the message queuingmiddleware 350 may be bypassed and the application interface library 330may communicate directly to the message broker 390 or to anotherapplication interface library on another application or database.

The message queuing middleware 350 is configured to deliver the messageover the internet or a local area network, and when the message isreceived at the message queuing middleware 360, it is decrypted asnecessary by the encryption/decryption engine 380 and delivered to themessage broker 390. The message broker 390 reads the received message todetermine which other applications or databases connected to it needs toreceive the message. The message broker 390 then performs anytranslations or transformations needed so that the message is in aformat compatible to the receiving application or database. The messagebroker 390 then passes the transformed message to each application thatneeds the message either directly, or through the message queuingmiddleware 370, and encrypted by the encryption/decryption engine 380 asnecessary.

The receiving applications read the received message through their owncopies of the application interface library (and alternatively, throughtheir own interface adapter), decrypting the message as needed withtheir respective encryption/decryption engine and executing thenecessary functions based on the receipt of the notification of theoriginal event.

FIG. 4 illustrates a unified architecture for providing an integrated,distributed shared services system in accordance with one embodiment ofthe present invention. The operation of each components of theintegrated system as shown in FIG. 4 which corresponds to the likecomponents shown in FIGS. 2 and 3 are configured to function in similarmanner, and accordingly, the operation and function of eachcorresponding components shown in FIG. 4 will not be repeated here.

As will be discussed in further detail below, in accordance with oneembodiment of the present invention, with a single call from the webapplication, a single user event on a web site can cause a cookie fileto be updated in real time so that information about that event “tracks”the user for the duration of the user's session within the centralserver domain. Moreover, at the same time, the information related tothe event can be passed by a message in near real time to a registrationdata store such that when the user subsequently directs the user browserto an application, for example, within the central server terminal website, the application can receive a cookie file with the same datareflecting the most recently updated user event.

In other words, the application interface library 402 for the particularapplication (optionally residing at a remote third party vendor's sitewithin central server's domain) contains the information to determinewhether the user event needs to generate a change to a cookie file, amessage to the message broker 410, or to both. In this manner, theapplication interface library 402 can be modified in accordance with thechanges in the requirements without the need to change the callingapplication.

In one further aspect of the present invention, a configuration fileresides on the central web server hosting the web resources to beprotected by the system. The contents of the configuration file areupdated from a central data store and configuration console programwhich is configured to push the changes to the various web serverswithin the central server domain. The push would be performed over theweb using the same secure, asynchronous message queuing middleware 404that is used to send user events from the web servers, but in theopposite direction. In particular, the configuration file contains, foreach web server or web application, a list of user events that takeplace on the server on which actions need to be taken (e.g., messagessent to the message broker 410 and/or cookie files updated) and thedetails of what actions need to be taken for each type of user event.This information is then used to drive the behavior of the applicationinterface library 402 when a user event takes place.

The configuration file also contains a list of cookie fields that may beread or written by that particular application and whether theapplication had read access, write access, or both to each of thosefields. In this manner, disclosure of sensitive user information toapplications that do not need it or are not authorized access theretocan be prevented. Moreover, applications can be prevented from impingingor overlapping with each other by overwriting data in the cookie thatdoes not pertain to the particular application.

Moreover, the configuration file may also be used for the purpose ofimplementing a key rotation scheme for the keys used to encrypt/decryptthe cookie files and for the different components of the system, remoteand central, to authenticate themselves to one another. This isaccomplished by pushing to the configuration file, in the same manner asdescribed above, a list of key IDs, each with an expiration time and thekey itself. Thus, a login screen program can then provide in the cookiethe key ID (for example, in clear text) along with the rest of the data(encrypted with the key identified by the key ID). Thereafter, when theuser at the user terminal enters the protected web resource (either atthe central server or at a remote third party vendor site within thecentral server domain), the cookie access library 405 looks up the keyin the configuration file (which can be cached in a memory forperformance, and encrypted using the server's key for security) usingthe key ID in the cookie file, and then decrypts the remainder of thecookie data using the key that has been previously pushed to theconfiguration file. Furthermore, the login screen program would not usea given key until it has verified that the particular key has beensuccessfully uploaded to every web server. Additionally, the loginscreen program would stop using each key before that key's expirationtime has reached. A separate process on the web server wouldperiodically purge expired keys from the configuration file, or this canbe performed as part of the update process when new keys aretransmitted.

By way of an example, a User Agreement Management function is described.First, consider a case where the User Agreement (UA) for an interactiveeducation application is recently updated from an existing version (ver.1.8) to a new version (ver. 2.1). A message is then passed to theapplication interface library 402 by the message broker 410 indicatingthe change in the version of the User Agreement. The applicationinterface library 402 updates its internal table to reflect the new UAversion. The new version of the UA is also passed to the applicationinterface library 402.

A user who has been to the interactive education application before, buthas not seen the new version of the UA logs on and receives a cookiewhich contains a NAME=VALUE pair indicating the version of the UA (ver.1.8) this user has most recently viewed (e.g., IAEDUA=1.8). The userclicks on a link to go to the interactive education application, passingthe cookie to this application. The interactive education applicationthen calls a function in the application interface library 402 tocompare the last version of the UA viewed by the user (for example, fromtheir cookie) to the latest version of the UA stored in the applicationinterface library 402 (i.e., ver. 2.1). Having determined that the twoversion do not match, the application interface library 402 displays thenew UA to the user and accepts the user's acknowledgment when the userviews the new UA displayed. The application interface library 402 thenupdates the user's cookie with the NAME=VALUE pair (e.g., IAEDUA=2.1)and passes the same information to a registration database at thecentral server (e.g., schwab.com).

When the user clicks out of the interactive education application, butreturns in the same session to the interactive education application,since the cookie was updated to indicate that the user has seen thelatest version of the UA, the new version of the UA (i.e., ver. 2.1) arenot presented to the user for viewing. Subsequently, when the user logson in a different session, the user is given a cookie file with theupdated information from the central server's registration database(e.g., from the schwab.com registration database). At this time, whenthe user goes to the interactive education application, the applicationinterface library 402 compares the updated information in the cookie tothe latest version of the UA, and determining that the two versions ofthe UA match, the user is not presented with the UA for viewing again.

FIG. 5 illustrates a flowchart for a user authentication process inaccordance with one embodiment of the present invention. As shown, theoperation and function of the components of the architecture forproviding the integrated, distributed shared services system illustratedin FIG. 4 is further discussed. Accordingly, reference to the componentsshown in FIG. 4 will be made in conjunction with the operation andfunction illustrated in FIG. 5.

First, at step 501 the user terminal client web browser 412 submits anHTTP request with a cookie to a web application 401 such that the URL ofthe desired resource (e.g., application 401) available in the centralserver domain and the cookie is transmitted to the application 401.Having received the HTTP request and the cookie, at step 502 theapplication corresponding to the HTTP request (e.g., application 401)transmits the cookie to the application interface library 402. Theapplication interface library 402 at step 503 then performs userauthentication processing. In particular, the application interfacelibrary 402 transmits the cookie received from the client web browser412 to the cookie access library 405 which is configured to read thecookie data at step 504. In the event that the transmitted cookie isencrypted, the cookie access library 405 transmits the encrypted cookieto the encryption/decryption engine 403 which, at step 505 decrypts theencrypted cookie and passes the decrypted cookie back to the cookieaccess library 405. The cookie access library 405 then parses thedecrypted cookie at step 506 into cookie data and accordingly,determines whether the user ID is matched or not by returning a confirmauthentication or a null match command to the application interfacelibrary 402. With a matched user ID, the application interface library402 returns the result to the web application 401 which then deliversthe application content at step 507 for display at the client browser412 at step 508. On the other hand, if the authentication process isunsuccessful, a null match command is returned to the web application401 which then delivers redirect information with a HTTP redirect to theclient web browser 412 at step 509. The client web browser 412 thensubmits the HTTP redirect request to the login page of the applicationat step 510, and the login page URL and the cookie is sent to the loginpage at the client web browser 412 at step 511 where the user isprompted to input login information to access the desired application.

FIG. 6 illustrates a flowchart for a user event processing procedure toaccess a desired application in accordance with one embodiment of thepresent invention. As shown, when a user event occurs such as when auser/client requests access to a particular application or resource inthe central server domain, at step 601 the user at the user terminal webbrowser 412 submits an HTTP request corresponding to the requestedapplication or resource, transmitting the corresponding URL and thecookie file. At step 602, the corresponding web application 401 receivesthe HTTP request and the cookie file, and in turn, passes the event nameand the received cookie to the application interface library 402 whichposts the corresponding event at step 603. In other words, at step 603,the requested application or data store from the application interfacelibrary 402 places the message signifying the user event onto either abrowser cookie or a message queue for eventual delivery at step 607 toanother (or subsequent) data store or application. Again, theapplication, event and the user ID in the form of a message can beoptionally encrypted at step 608 by the encryption engine 409 when theyare placed onto the message queue before being transmitted from themessage queuing middleware 404 of the application or data store residentlocally at the central server or at a third party vendor site within thecentral server domain.

As discussed previously, the application interface library 402optionally passes the cookie at step 604 to the encryption/decryptionengine 403 as necessary to decrypt the cookie in the event that thereceived cookie is encrypted. Furthermore, the application interfacelibrary 402 passes the user ID, the corresponding event and the cookieto the cookie access library 405 which is configured to update thereceived cookie at step 605, and as necessary, encrypt the cookie bypassing the updated cookie to the encryption/decryption engine 403 atstep 606. The updated cookie (optionally encrypted) and the eventcontent is then passed to the user specified web application 401 at step609 and thereafter, at step 610, the content corresponding to the userspecified web application 401 is displayed on the client browser 412 atthe client terminal.

FIG. 7 illustrates a flowchart for the user event processing procedureat the central server in accordance with one embodiment of the presentinvention. As shown, at step 701 the message queuing middleware 408 atthe central server receives the message which contains informationrelated to the user specified application, user event and user ID fromthe message queuing middleware 404 and passes the same to the messagebroker 410 for parsing the message at step 702. Optionally, in the casewhere the received message is previously encrypted (for example, by theencryption engine 403 at step 608 shown in FIG. 6), the encryptionengine 409 at the central server terminal decrypts the message at step703 and returns the decrypted message to the message broker 410. Themessage broker 410 routes the parsed, decrypted message at step 704,that is, the message broker 410 determines which applications or datastores, whether local or remote, need to receive the incoming messageand routes them accordingly. Thereafter at step 705, the message broker410 transforms the message for the respective application or data storeinto the appropriate format suitable and compatible for the intendedapplication or data store determined at step 704.

As further shown in FIG. 7, at step 706, the message broker 410 providesthe updated user information from the parsed and optionally decryptedmessage to the shared product database resident at the central server toupdate the user cookie profile to reflect the user event based on themessage received. Additionally, the message broker 410 places thetransformed message on queue with the message queuing middleware 408 atstep 707 so that the message can be posted at the appropriateapplication or data store as shown by steps 708 and 709 in FIG. 7 wherethe corresponding applications are Leads and e-mail applications, bothof which are resident at the central server terminal.

In the manner shown above, the present invention provides andarchitecture for services and communication infrastructure on which acommon, distributed authentication and registration user experience canbe built. In particular, information provided by a user at anyapplication can be passed to the central registration repository via themessage broker. Thus, when a user logs on, a cookie can be placed ontheir web browser with this information so the user can “carry” it toevery application the user visits during the user's session. Moreover,data in cookies can be encrypted and decrypted with encryption librarieswhich can be incorporated into the application interface library. Mostmessage oriented middleware products either provide functions to encryptmessages or have hooks for using other encryption products or libraries.In one embodiment, the same encryption library can be used for bothmessage and cookies. Moreover, encryption libraries can be called fromthe application interface library to encrypt data before the data isplaced in a message or a cookie to ensure data security.

As discussed above, data that directly drives the user experience inreal time can be placed in browser cookies, thus minimizing userexperience performance during each session. Moreover, when there is nonetwork connection problems, even the near real time message passingarchitecture has a typical end to end latency of only a few seconds,thus maximizing user experience during each user session.

Furthermore, the architecture in accordance with the present inventionprovides a vehicle for different user registration and authenticationcomponents to operate together. This feature is invaluable inintegrating public web sites and secure site registration authenticationand registration, as well as in integrating any outsourcedregistration/authentication with in house components. With respect tothe web applications, any application that can call a library and belocation in the central server domain will be able to use the sharedservices for its registration and authentication. Indeed, thecookie-based authentication allows a user to log in once and move fromapplication to application without the need for re-authentication.Additionally, user behavior and user provided information can be passedto a central user profile repository using the message passing portionof the architecture. The relevant profile can then be placed in theuser's browser cookie at the time of user login process. Thus, eachapplication can read the cookie and use it to shape banners, prompts andother content based on the user behavior and provided information.

Alternatively, the user behavior information and user provided data canbe passed to other central server application and data stores such asE-Leads, SOMS, and the Email channel. Additionally, with the messagebroker, the application can simply post a message related to therelevant event. Then, the message broker can determine to whichapplications and data stores that information should be passed, andfurther, perform any needed format changes to accommodate for thedifferences between the sending and receiving applications or datastores.

As discussed, the architecture in accordance with the present inventionprovides a common vehicle for passing data from web applications to anydata warehouse, datamart or other repository designed for this purpose.Also, the message broker architecture relieves the web applications ofcreating separate communications for this purpose by simply posting therelevant event and the message broker determines whether to send theinformation to the repository, other central server applications or datastores, or any combination thereof with any necessary modification andtransformation to the format to provide compatibility.

By locating the message routing function in the central server messagebroker, the architecture in accordance with the present inventionpermits services and applications to be added or modified asrequirements evolve. Additionally, as discussed above, passing a cookiewith a reasonably small amount of data produces negligible impact on theresponse time for the users, and ensures that the data is available tothe application at the time the user accesses it.

Moreover, the application interface library exposes functions to allowan application to request data (request/response), send and forgetmessages with assured delivery and event notification with intelligentrouting with the message broker. Operating in conjunction with theinterface adapter, the application interface library can supply datadirectly to the application via an exposed API or by directly performingoperations on its database through a push operation. Indeed, theapplication interface library is intended to have a small footprint andbe readily accessible to applications in a wide variety of environments.Where additionally flexibility is required, the interface adapters canbe configured to monitor and interact with applications and their datastores, often with no changes to the application, thus providing anon-invasive architecture.

Furthermore, the application interface library and the cookie basedportion of the architecture can be deployed on multiple web servers setup for automatic rollover. Leading message brokers and message orientedmiddleware products can also be set up with multiple servers or multiplequeues designed to failover automatically in the event of planneddowntime or unanticipated system failure. Since the underlying datatransport is the internet, if a user can access an application fromclient terminal browser, the user access can also pass data to theapplication via its cookies. The message queuing middleware is designedto hold onto data in the event of a network failure, and to resumetransmission automatically when the connection is restored.

Finally, the architecture of the present invention is specificallydesigned to allow components to be bypassed or omitted when theirfunctionality is not required. Messages can be passed without queuingthem if assured delivery is not required, and encryption can be bypassedif the underlying data is not sensitive, and the message broker can bebypassed where local applications area already capable of communicatingto one another and interface adapters need not be deployed where theapplication interface library suffices. Moreover, alternatively, thecookie based architecture and the message broker based portion cab bedeployed separately, and later combined for greater functionality.

Various other modifications and alterations in the structure and methodof operation of this invention will be apparent to those skilled in theart without departing from the scope and spirit of the invention.Although the invention has been described in connection with specificpreferred embodiments, it should be understood that the invention asclaimed should not be unduly limited to such specific embodiments. It isintended that the following claims define the scope of the presentinvention and that structures and method within the scope of theseclaims and their equivalents be covered thereby.

1-37. (canceled)
 38. A system comprising: a first application residingin a central server coupled to a client terminal, the client terminalincluding a cookie file; a second application residing in the samedomain as the central server; a configuration file residing in thecentral server, wherein the configuration file contains a list of cookiefields that may be read or written to by the first application or thesecond application; and an application interface library residing in thecentral server, wherein the application interface library is configuredto provide the first application and the second application with accessto one or more cookie fields of the cookie file.
 39. The system of claim38, wherein the application interface library is configured to providethe first application with access to a first set of cookie fields of thecookie file and further configured to provide the second applicationwith access to a second set of cookie fields of the cookie file.
 40. Thesystem of claim 38, wherein the configuration file further contains alist of user events for which the cookie file needs to be updated. 41.The system of claim 38, wherein the cookie file is encrypted, the systemfurther comprising a decryption engine residing in the central serverand configured to decrypt the cookie file.
 42. The system of claim 38,further comprising a cookie access library residing in the centralserver, wherein the application interface library calls on functionsfrom the cookie access library in order to read or write data to thecookie.
 43. The system of claim 38, further comprising a message queuingmiddleware residing in the central server, wherein the applicationinterface library is further configured to receive data the firstapplication and transmit the data as a message through the messagequeuing middleware.
 44. A system comprising: a client terminal includinga cookie file; a central server coupled to the client terminal, thecentral server configured to detect a user event at the client terminal,wherein the central server is further configured to generate a messagecorresponding to the detected user event; a first application residingin the central server; a second application residing in the same domainas the central server; a configuration file residing in the centralserver, wherein the configuration file contains a list of cookie fieldsthat may be read or written to by the first application or the secondapplication; and an application interface library residing in thecentral server, wherein the application interface library is configuredto provide the first application and the second application with accessto one or more cookie fields of the cookie file.
 45. The system of claim44 wherein the application interface library is further configured torequest data from the first application or the second application, senddata to the first application or the second application, and to providenotifications when data or messages have been successfully and securelydelivered.
 46. The system of claim 44 wherein the application interfacelibrary is further configured to monitor interactions between the firstand second applications.
 47. The system of claim 44, further comprisingan encryption library to encrypt the data before the data is placed inthe message or cookie file.
 48. The system of claim 44, furthercomprising an interface adapter configured to directly access theapplication interface library with application system components. 49.The system of claim 48, wherein the interface adapter is configured tomonitor changes in the application system components.
 50. The system ofclaim 44, further comprising a message broker residing in the centralserver, wherein the message broker sends messages from the centralserver to one or more applications based on the user event.
 51. A methodof providing a single sign-on distributed application serviceintegration, comprising: using a client terminal to access a firstapplication on a central server, wherein the central server is coupledto the client terminal and is configured to detect a user event;receiving, using the client terminal, a cookie file corresponding to theclient terminal, wherein a configuration file resides in a centralserver and contains a list of cookie fields of the cookie, furtherwherein the first application has read and write access to the cookiefile as determined by the list of cookie fields; and using the clientterminal to access to a second application, wherein the secondapplication resides in the same domain as the central server, whereinthe second application has read and write access to the cookie file asdetermined by the list of cookie fields.
 52. The method of claim 51further comprising receiving notifications and messages from a messagebroker related to the user event, wherein the user event is at the firstor second application.
 53. The method of claim 51, wherein the messagesare transmitted through a queue of a message queuing middleware residingin the central server.
 54. The method of claim 51, wherein the first andsecond applications each include one or more predetermined resources.55. The method of claim 53, wherein the predetermined resources includeone or more of a web page, a CGI script and a java servlet.